DEBIAN-CVE-2026-26331

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-26331

Import Source

https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26331.json

JSON Data

https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-26331

Upstream

CVE-2026-26331

Published

2026-02-24T03:16:01.710Z

Modified

2026-02-24T19:41:43.301437Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

yt-dlp is a command-line audio/video downloader. Starting in version 2023.06.21 and prior to version 2026.02.21, when yt-dlp's --netrc-cmd command-line option (or netrc_cmd Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL. yt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses --netrc-cmd in their command/configuration or netrc_cmd in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without --netrc-cmd in their arguments or netrc_cmd in their scripts are unaffected. No evidence has been found of this exploit being used in the wild. yt-dlp version 2026.02.21 fixes this issue by validating all netrc "machine" values and raising an error upon unexpected input. As a workaround, users who are unable to upgrade should avoid using the --netrc-cmd command-line option (or netrc_cmd Python API parameter), or they should at least not pass a placeholder ({}) in their --netrc-cmd argument.

References

https://security-tracker.debian.org/tracker/CVE-2026-26331

Affected packages

Debian:12 / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/debian/yt-dlp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2023.*

2023.03.04-1

2023.06.21-1

2023.06.22-1~bpo12+1

2023.06.22-1

2023.07.06-1~bpo12+1

2023.07.06-1

2023.09.24-1

2023.09.24-2~bpo12+1

2023.09.24-2

2023.10.07-1~bpo12+1

2023.10.07-1

2023.10.13-1~bpo11+1

2023.10.13-1~bpo12+1

2023.10.13-1

2023.11.16-1~bpo11+1

2023.11.16-1~bpo12+1

2023.11.16-1

2023.12.30-1

2024.*

2024.03.10-1~bpo12+1

2024.03.10-1

2024.04.09-1~bpo12+1

2024.04.09-1

2024.05.26-1~bpo12+1

2024.05.26-1

2024.05.27-1~bpo12+1

2024.05.27-1

2024.07.01-1

2024.07.02-1~bpo12+1

2024.07.02-1

2024.07.07-1

2024.07.09-1~bpo12+1

2024.07.09-1

2024.07.16-1~bpo12+1

2024.07.16-1

2024.07.25-1~bpo12+1

2024.07.25-1

2024.08.01-1~bpo12+1

2024.08.01-1

2024.08.06-1~bpo12+1

2024.08.06-1

2024.09.27-1~bpo12+1

2024.09.27-1

2024.10.07-1~bpo12+1

2024.10.07-1

2024.10.22-1~bpo12+1

2024.10.22-1

2024.11.04-1

2024.11.18-1~bpo12+1

2024.11.18-1

2024.12.03-1~bpo12+1

2024.12.03-1

2024.12.06-1~bpo12+1

2024.12.06-1

2024.12.13-1~bpo12+1

2024.12.13-1

2024.12.23-1~bpo12+1

2024.12.23-1

2025.*

2025.01.12-1~bpo12+1

2025.01.12-1

2025.01.15-1~bpo12+1

2025.01.15-1

2025.01.26-1~bpo12+1

2025.01.26-1

2025.02.19-1~bpo12+1

2025.02.19-1

2025.03.21-1~bpo12+1

2025.03.21-1

2025.03.25-1

2025.03.26-1~bpo12+1

2025.03.26-1

2025.03.27-1~bpo12+1

2025.03.27-1

2025.03.31-1~bpo12+1

2025.03.31-1

2025.04.30-1~bpo12+1

2025.04.30-1

2025.05.22-1

2025.06.09-1

2025.06.25-1

2025.06.30-1

2025.07.21-1

2025.08.11-1~bpo13+1

2025.08.11-1

2025.08.20-1

2025.08.22-1

2025.08.27-1~bpo13+1

2025.08.27-1

2025.09.05-1~bpo13+1

2025.09.05-1

2025.09.23-1

2025.09.26-1~bpo13+1

2025.09.26-1

2025.10.14-1~bpo13+1

2025.10.14-1

2025.10.22-1~bpo13+1

2025.10.22-1

2025.11.12-1~bpo13+1

2025.11.12-1

2025.12.08-1~bpo13+1

2025.12.08-1

2026.*

2026.01.31-1~bpo13+1

2026.01.31-1

2026.02.21-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26331.json"

Debian:13 / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/debian/yt-dlp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2025.*

2025.04.30-1

2025.05.22-1

2025.06.09-1

2025.06.25-1

2025.06.30-1

2025.07.21-1

2025.08.11-1~bpo13+1

2025.08.11-1

2025.08.20-1

2025.08.22-1

2025.08.27-1~bpo13+1

2025.08.27-1

2025.09.05-1~bpo13+1

2025.09.05-1

2025.09.23-1

2025.09.26-1~bpo13+1

2025.09.26-1

2025.10.14-1~bpo13+1

2025.10.14-1

2025.10.22-1~bpo13+1

2025.10.22-1

2025.11.12-1~bpo13+1

2025.11.12-1

2025.12.08-1~bpo13+1

2025.12.08-1

2026.*

2026.01.31-1~bpo13+1

2026.01.31-1

2026.02.21-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26331.json"

Debian:14 / yt-dlp

Package

Name: yt-dlp
Purl: pkg:deb/debian/yt-dlp?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2026.02.21-1

Affected versions

2025.*

2025.04.30-1

2025.05.22-1

2025.06.09-1

2025.06.25-1

2025.06.30-1

2025.07.21-1

2025.08.11-1~bpo13+1

2025.08.11-1

2025.08.20-1

2025.08.22-1

2025.08.27-1~bpo13+1

2025.08.27-1

2025.09.05-1~bpo13+1

2025.09.05-1

2025.09.23-1

2025.09.26-1~bpo13+1

2025.09.26-1

2025.10.14-1~bpo13+1

2025.10.14-1

2025.10.22-1~bpo13+1

2025.10.22-1

2025.11.12-1~bpo13+1

2025.11.12-1

2025.12.08-1~bpo13+1

2025.12.08-1

2026.*

2026.01.31-1~bpo13+1

2026.01.31-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-26331.json"